IcedID malware, also known as BokBot, has been leveraged in a new attack to achieve Active Directory domain compromise less than a day after securing initial access, according to The Hacker News.
Cybereason researchers discovered that the new attack's infection chain commences with a ZIP archive-based ISO image file resulting in IcedID payload execution. IcedID then creates a scheduled task to establish persistence and connects with a remote server to facilitate the download of a Cobalt Strike Beacon and other next-stage payloads. After conducting lateral network movement, IcedID proceeds to execute the Cobalt Strike Beacon across all workstations before deploying the Atera agent.
"Utilizing IT tools like this allows attackers to create an additional 'backdoor' for themselves in the event their initial persistence mechanisms are discovered and remediated. These tools are less likely to be detected by antivirus or EDR and are also more likely to be written off as false positives," said researchers.
BleepingComputer reports that several U.S. financial institutions and numerous cryptocurrency apps are having their users mostly targeted by an expanded Xenomorph malware campaign leveraging an updated version of the Android banking trojan that also set sights on users in Canada, Italy, Spain, Belgium, and Portugal.